Github user rnewson commented on the pull request:
https://github.com/apache/couchdb-couch/pull/80#issuecomment-127039548
The list of tests we need;
1) a request with no cookie and with `X-CouchDB-CSRF` header set to true
results in `Set-Cookie` response header for a cookie named `CouchDB-CSRF`.
2) a request that has a `CouchDB-CSRF` cookie but not `X-CouchDB-CSRF`
request header is rejected with a 403.
3) a request that has a `CouchDB-CSRF` cookie and a `X-CouchDB-CSRF`
request header, but that do not match each other, is rejected with a 403.
4) a request that has a `CouchDB-CSRF` cookie and a `X-CouchDB-CSRF`
request header, that do match each other, is accepted.
5) a request that has an expired `CouchDB-CSRF cookie and a
`X-CouchDB-CSRF` request header, that do match each other, is rejected with a
400.
5) a request that has no `CouchDB-CSRF cookie and a `X-CouchDB-CSRF`
request header, that do match each other, is rejected with a 400.
6) a request that has a `CouchDB-CSRF` cookie and a `X-CouchDB-CSRF`
request header, that do match each other, made more than halfway through the
cookie's lifetime, is accepted and a new `CouchDB-CSRF` is returned (with a
full lifetime).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
